The growing diversity of connected devices leads to complex network deployments, often made up of endpoints that implement incompatible network application protocols. Communication between heterogeneous network protocols was traditionally enabled by hardware translators or gateways. However, such solutions are increasingly unfit to address the security, scalability, and latency requirements of modern software-driven deployments. To address these shortcomings we propose Chuchotage, a protocol translation architecture for secure and scalable machine-to-machine communication. Chuchotage enables in-line TLS interception and confidential protocol translation for software-defined networks. Translation is done in ephemeral, flow-specific Trusted Execution Environments and scales with the number of network flows. Our evaluation of Chuchotage implementing an HTTP to CoAP translation indicates a minimal transmission and translation overhead, allowing its integration with legacy or outdated deployments.
- Protocol conversion
- Application layer protocols
- Software defined networking
- Cross-layer optimization
This is a preview of subscription content, access via your institution.
Tax calculation will be finalised at checkout
Purchases are for personal use onlyLearn about institutional subscriptions
Communication servers including a virtual gateway to perform protocol translation.
The term chuchotage is a form of interpreting where the linguist is near a small target audience and whispers a simultaneous interpretation of what is being said.
Semantic Integration & Interoperability Using RDF and OWL (2005). https://www.w3.org/2001/sw/BestPractices/OEP/SemInt/. Accessed 15 Oct 2020
AMD SEV-SNP: Strengthening VM isolation with integrity protection and more. White paper, Advanced Micro Devices, January 2020
Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, New York, NY, USA, vol. 13, p. 7. ACM (2013)
Baek, J., Kim, J., Susilo, W.: Inspecting TLS anytime anywhere: a new approach to TLS interception. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 116–126 (2020)
de Carné de Carnavalet, X., van Oorschot, P.C.: A survey and analysis of TLS interception mechanisms and motivations. arXiv e-prints. arXiv-2010 (2020)
Coker, G., et al.: Principles of remote attestation. Int. J. Inf. Secur. 10(2), 63–81 (2011). https://doi.org/10.1007/s10207-011-0124-7
Derhamy, H., Eliasson, J., Delsing, J.: IoT interoperability-on-demand and low latency transparent multiprotocol translator. IEEE Internet Things J. 4(5), 1754–1763 (2017)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), August 2008. https://doi.org/10.17487/RFC5246. https://www.rfc-editor.org/rfc/rfc5246.txt. Updated by RFCs 5746, 5878, 6176, 7465, 7507, 7568, 7627, 7685, 7905, 7919
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018. https://doi.org/10.17487/RFC8446
Garbelini, M.E., Wang, C., Chattopadhyay, S., Sumei, S., Kurniawan, E.: SweynTooth: unleashing mayhem over bluetooth low energy. In: 2020 USENIX Annual Technical Conference (USENIX ATC 2020), pp. 911–925. USENIX Association, July 2020. https://www.usenix.org/conference/atc20/presentation/garbelini
Gregg, B.: Systems Performance, 2nd edn. Pearson, London (2020)
Hosseinzadeh, S., Liljestrand, H., Leppänen, V., Paverd, A.: Mitigating branch-shadowing attacks on intel SGX using control flow randomization. In: Proceedings of the 3rd Workshop on System Software for Trusted Execution, pp. 42–47 (2018)
Hunt, G.D.H., et al.: Confidential computing for openpower. In: EuroSys 2021, New York, NY, USA, pp. 294–310. ACM (2021). https://doi.org/10.1145/3447786.3456243
Kate, A., Goldberg, I.: Distributed private-key generators for identity-based cryptography. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 436–453. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15317-4_27
Kreutz, D., Ramos, F.M., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2014)
Lam, S.S.: Protocol conversion. IEEE Trans. Softw. Eng. 14(3), 353–362 (1988)
Lee, D., Kohlbrenner, D., Shinde, S., Asanović, K., Song, D.: Keystone: an open framework for architecting trusted execution environments. In: Proceedings of the Fifteenth European Conference on Computer Systems. EuroSys 2020, New York, NY, USA. ACM (2020). https://doi.org/10.1145/3342195.3387532
Lee, H., et al.: maTLS: How to make TLS middlebox-aware? In: NDSS (2019)
Li, J., Chen, R., Su, J., Huang, X., Wang, X.: ME-TLS: middlebox-enhanced TLS for internet-of-things devices. IEEE Internet Things J. 7(2), 1216–1229 (2020). https://doi.org/10.1109/JIOT.2019.2953715
McKeen, F., et al.: Innovative instructions and software model for isolated execution. Hasp@ isca 10(1) (2013)
McKeown, N., et al.: Openflow: enabling innovation in campus networks. SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)
Medina, J., Paladi, N., Arlos, P.: Protecting OpenFlow using Intel SGX. In: 2019 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), pp. 1–6. IEEE (2019)
Nilsson, A., Bideh, P.N., Brorsson, J.: A survey of published attacks on Intel SGX. arXiv preprint arXiv:2006.13598 (2020)
Noura, M., Atiquzzaman, M., Gaedke, M.: Interoperability in internet of things: taxonomies and open challenges. Mob. Netw. Appl. 24(3), 796–809 (2019)
Safaric, S., Malaric, K.: Zigbee wireless standard. In: Proceedings of ELMAR 2006, pp. 259–262 (2006). https://doi.org/10.1109/ELMAR.2006.329562
Shen, Y., et al.: Occlum: secure and efficient multitasking inside a single enclave of Intel SGX. In: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2020, New York, NY, USA, pp. 955–970. ACM (2020). https://doi.org/10.1145/3373376.3378469
Svenningsson, J., Paladi, N., Vahidi, A.: Faster enclave transitions for IO-intensive network applications. In: Proceedings of the ACM SIGCOMM 2021 Workshop on Secure Programmable Network INfrastructure, SPIN 2021, New York, NY, USA, pp. 1–8. ACM (2021). https://doi.org/10.1145/3472873.3472879
Svenningsson, J., Paladi, N., Vahidi, A.: SGX-bundler: speeding up enclave transitions for IO-intensive applications. In: The 22nd IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing. IEEE-Institute of Electrical and Electronics Engineers Inc. (2022)
Tolk, A.: Composable mission spaces and M &S repositories-applicability of open standards. In: Spring Simulation Interoperability Workshop, Arlington, VA (2004)
Tu, W., Wei, Y.H., Antichi, G., Pfaff, B.: Revisiting the open vswitch dataplane ten years later. In: Proceedings of the 2021 ACM SIGCOMM 2021 Conference, SIGCOMM 2021, New York, NY, USA, pp. 245–257. ACM (2021). https://doi.org/10.1145/3452296.3472914
Uddin, M., Mukherjee, S., Chang, H., Lakshman, T.: SDN-based multi-protocol edge switching for IoT service automation. IEEE J. Sel. Areas Commun. 36(12), 2775–2786 (2018)
Yao, J., Zimmer, V.: Virtual Firmware, pp. 459–491. Apress, Berkeley (2020). https://doi.org/10.1007/978-1-4842-6106-4_13
Zanella, A., Bui, N., Castellani, A., Vangelista, L., Zorzi, M.: Internet of things for smart cities. IEEE Internet Things J. 1(1), 22–32 (2014)
This work was financially supported in part by the Swedish Foundation for Strategic Research, with the grant RIT17-0035, and by the Wallenberg AI, Autonomous Systems and Software Program (WASP).
Editors and Affiliations
1.1 A.1 Common IoT Communication Protocols
In the TCP/IP network model, the physical or data link layer is responsible for physical transmissions; characteristics of applications - such as latency and availability - directly impact traffic characteristics on the link layer. The network layer is responsible for routing and forwarding packets; considering that IoT devices are often resource-constrained, the information necessary for routing should be kept at a minimum. Finally, transport layer protocols (such as TCP and UDP) manage end-to-end communication between network endpoints.
Physical network gateways are commonly used for interoperability in the physical and network layers or transport layer . Gateways have limited scalability : as the number of IoT devices increases, special connectors are required for their interaction, thus adding both cost and complexity to the network.
Application communication between network endpoints is implemented on the application layer. Middleware can perform translation in the application layer; however, connecting middleware components risks further reducing interoperability by locking applications to a specific technology. Interception proxies are an alternative for application layer translation; however, proxies cause delays since all traffic transits through proxies even when translation is unnecessary .
Proxies and middleware currently available for application layer protocol translation are increasingly unsuitable for secure, distributed, and transparent application layer protocol translation.
Several application layer protocols - namely HTTP, CoAP, MQTT, and AMQP - have been widely reviewed in academic publications and adopted in large scale deployments. We compare these protocols in Table 1.
1.2 A.2 Open vSwitch Overview
OpenvSwitch (OvS) is an open source programmable switch  that implements packet forwarding on the datapath; it is a flow-based switch, where clients install flows determining forwarding decisions. Flows are installed in a cache level structure that assists the datapath to execute actions on received packets, e.g. allow, drop, etc. For each ingress packet, the datapath consults its cache and forwards the packet to its destination if matching entries exist. For each cache miss, the datapath issues an upcall and forwards the packet to ovs-vswitchd. A datapath can be deployed as a kernel module or in user space with additional firmware support. Packet classification in OvS is computationally expensive, mostly due to the many types of matching fields. Matching is implemented in a hash table of flow rules, with matching fields hashed as keys. OvS uses a modified Tuple Space Search (TSS) algorithm for packet classification. The algorithm searches through the hash map tables based on the maximum entry’s priority and terminates after finding the highest priority matching flow rule. Early OvS releases implemented OpenFlow processing exclusively as a kernel module. However, the difficulty of developing and updating kernel modules motivated moving packet classification to user space. A multi-level cache structure kernel implementation compensates the resulting performance impact. The cache structure consists of two levels with increasing lookup costs: a microflow cache (or Exact Match Cache) and a larger megaflow cache. The megaflow cache matches multiple flows with wildcards .
Open vSwitch Forwarding. Figure 6 illustrates the OvS internals. An incoming packet reaches the datapath from either a physical or virtual NIC (1). In the datapath, the switch runs a first search based on an exact match (2). If there is a matching entry in the microflow cache, the packet is sent to the specific table in the megaflow cache to retrieve the required actions. Otherwise, the forwarding process performs a second search in the next cache line (3). Failing to find a match, the datapath uses upcalls (4) to inform the ovs-vswitchd that it cannot handle the packet. The ovs-vswitchd uses the classification process (5) to obtain a matching rule via its flow tables. Next, ovs-vswitchd returns to the datapath, inserts the entry in the cache (6), and returns the packet to the kernel (7). Finally, the datapath forwards the packet to the intended destination (8). Failing to find matching information in the flow tables, ovs-vswitchd sends a packet-in request to the network controller to get a matching rule for the unknown packet.
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Nikbakht Bideh, P., Paladi, N. (2022). Chuchotage: In-line Software Network Protocol Translation for (D)TLS. In: Alcaraz, C., Chen, L., Li, S., Samarati, P. (eds) Information and Communications Security. ICICS 2022. Lecture Notes in Computer Science, vol 13407. Springer, Cham. https://doi.org/10.1007/978-3-031-15777-6_32
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15776-9
Online ISBN: 978-3-031-15777-6